What are the implications of codesigning an OS X application with a self-signed certificate?

蹲街弑〆低调 提交于 2019-12-06 04:10:56

问题


Apple seems to restrict some OS X APIs (e.g. sandboxing) to applications that are codesigned by a trusted certificate, e.g. one issued to members of the paid Mac Developer program.

How does OS X treat applications that are codesigned with a self-signed (or a development) certificate?

  • Will those features/APIs be available, and the only difference be that users with the default Gatekeeper settings cannot (easily) launch such an application?
  • Will they be treated just like unsigned apps in every way (entitlements and sandboxing disabled, warning for Gatekeeper users)?
  • Or will a self-signed certificate be considered an error, and the app will not launch at all regardless of the user's Gatekeeper settings?

回答1:


AFAIK, apps that aren't code-signed with a certificate that Gatekeeper accepts, would be treated as unsigned. I don't know about access to specific features and API.

But you can make your self-signed cert acceptable to the Gatekeeper. If you sign your code using certificates that weren't issued by Apple, every machine you want to run that code as signed, would have to (a) have your certificate installed, and (b) have policies set via spctl command that tell the Gatekeeper to allow executing and/or installing code signed by that cert. This part has been tested and verified on Mavericks.

It is more difficult with kernel extensions. I'm still working on that. :-)



来源:https://stackoverflow.com/questions/23383654/what-are-the-implications-of-codesigning-an-os-x-application-with-a-self-signed

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!